Friday, March 30, 2007

Vista, Backdoors and the 4th Amendment

As you may know, rumors have spread that Microsoft put a backdoor in its Vista program to accommodate law enforcement’s need to search on computers.

Microsoft denies this, which I tend to believe, but I know people who claim that it’s true. At the very least, it raises some interesting 4th amendment issues.

Let’s begin with why the backdoor issue arises.

Vista incorporates a feature called BitLocker Drive Encryption. BitLocker, which “is included in the Enterprise and Ultimate editions of Vista,” encrypts data on a computer. BitLocker Drive Encryption, Wikipedia. “By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional security.” BitLocker Drive Encryption, Wikipedia. According to Microsoft, it prevents unauthorized users from gaining access to data contained on a computer: “with BitLocker all user and system files are encrypted including the swap and hibernation files.” BitLocker, Microsoft.

Users’ ability to encrypt all the files on their computer obviously poses problems for law enforcement officers who want to search a computer for evidence of a crime. But as some have noted, BitLocker should not pose problems for law enforcement in two instances:

One is if the computer is running; as one source notes, “forensic tools can access the encrypted volume of a running system just like any other program”. Simson Garfunkel, Drive Encryption: Two Tales, Technology Review. If the computer is running, the encryption key has already been entered into the computer, so the encryption is not an issue.

The other instance in which BitLocker won’t pose problems for law enforcement is when people haven’t bothered to use it.

As we probably all now, encryption is not new; encryption is available on the Mac I am using to write this, and there are programs available which can be used to encrypt data. So far, most people simply don’t bother.

Notwithstanding all this, BitLocker will still probably raise issues for law enforcement. One is how officers should proceed when they arrive to execute a computer search and the computer is running; the officers can presumably conduct a forensic analysis of the computer and thereby avoid BitLocker’s encryption, but that remains to be seen. I am not going to address that issue here. What I want to examine is the legality (or illegality) of including a backdoor on the Vista system to let law enforcement bypass encryption that has been installed on a system and that is in effect because the system has been shut down.

We will assume, for the purposes of analysis only (which means this is all purely hypothetical), that Microsoft incorporates a backdoor that lets law enforcement bypass Vista encryption. For the purposes of analysis, we will also assume that officers arrive at John Doe’s home with a warrant to search his computer for evidence of a crime (child pornography, terrorism, murder, take your pick). He lets them in, takes them to the computer, the computer is not running and they quickly find out he has implemented BitLocker. Now, BitLocker can be implemented several ways, one of which involves storing the BitLocker encryption key on a USB drive; the USB drive must be inserted into the computer for it to boot. The officers ask Doe for the USB drive they need to boot the computer; he refuses to give it to them, says he “threw it away.”

Absent a Vista backdoor, they have two and only two options at this point: They can use a grand jury subpoena or other means to “compel” Doe to surrender the key (assuming he lied when he said he threw it away), but to do this they probably will have to give him immunity for the act of handing it over. As I explained in an earlier post, immunity lets the government override his Fifth Amendment privilege, which Doe will assert as the basis for refusing to turn over the key. Doe will say, in effect, that by turning the key over he would be forced to be a witness against himself in violation of his Fifth Amendment privilege against self-incrimination.

Unfortunately, giving Doe immunity for the act of handing over the USB drive probably means they will not be able to prosecute him, since the effect of the immunity is to bar the government from using his act of handing over the drive and any evidence derived, directly or indirectly, from that act against him in a criminal prosecution. Since the evidence, if any, found on the hard drive would derive from the act of handing over the USB drive, they would be giving up the opportunity to prosecute him. The other option is to break the encryption which, I believe, would be very difficult to do.

What if, hypothetically, Microsoft had created a backdoor in Vista that would let law enforcement bypass BitLocker encryption and access the data on Doe’s computer? If Microsoft were to do this, could law enforcement then use the backdoor without violating the 4th amendment?

I don’t know of any criminal cases in which this issue has arisen. It came up last year when Michael Crooker sued Compaq (now HP) for false advertising. Crooker claimed he bought a Compaq laptop because it was advertised as having a feature – DriveLock – that secured data on its hard drive. The FBI, which had a warrant to search Crooker’s laptop, apparently found some way around the DriveLock security. In his lawsuit, Crooker claimed they used a backdoor provided by Compaq (HP). Crooker’s suit was ultimately dismissed, for whatever reason, and is irrelevant to this discussion anyway, since it did not raise any constitutional claims.

In the Doe case, the officers have a warrant to search Doe’s computer, and that allows them to access the data it contains. They, however, need outside help to access that data. There are state and federal statutes that let law enforcement obtain help from private citizens to execute search warrants; police, for example, have always needed help from phone company employees to tap landline telephone calls. The government would probably argue that the officers’ using the backdoor Microsoft installed on the system is no different from officers’ obtaining the assistance of telephone company employees to tap telephone calls. The warrant gives the officers the constitutional authority to obtain the evidence (here, the content of the calls); the telephone company employees are simply helping them to implement that authority.

The defense would argue that law enforcement’s using our hypothetical Vista backdoor to access the data on Doe’s encrypted computer is different from the scenario I outline above. How is it different? Well, one difference goes to the issue Crooker raised in his lawsuit: Doe, the defense would argue, specifically purchased a computer with Vista in order to be able to use BitLocker to secure his data from any- and every-one, including law enforcement. Doe, the defense would say, believed he could rely on the technology he purchased from Microsoft to protect his data because (in our hypothetical) he had no reason to know there was a backdoor.

The defense would then argue that by (hypothetically) installing the backdoor, Microsoft became an agent of law enforcement. As I’ve noted before, a private party can become a law enforcement agent, which means the private party’s conduct must comply with the 4th amendment. To become a law enforcement agent, the private party must act with the purpose of assisting law enforcement (which we have here) and law enforcement must encourage the party’s engaging in conduct that assists law enforcement (which we also have here). If, then, Microsoft were to install a Vista backdoor and let law enforcement use it, Microsoft would be a law enforcement agent, at least with regard to BitLocker overrides.

The government, again, would say there’s no problem here, that the same rationale used to get phone companies to tap calls applies, i.e., the search warrant justifies what law enforcement does and what Microsoft-as-hypothetical-agent-of-law-enforcement does. Somehow, though, that just doesn’t seem right to me.

It seems to me that here Microsoft is acting like a bailor, i.e., someone who has custody of another person’s property and who is legally obligated to keep it secure. Airlines are bailors for our luggage; banks are bailors for the things we put in our safe-deposit boxes, etc. Microsoft is not technically a bailor because Doe has not given his data to Microsoft to hold and keep secure. But the relationship is analogous to a bailor-bailee relationship in that Microsoft has, at least implicitly, assumed some responsibility for keeping Doe’s computer data secure. Doe, after all, bought a Vista-equipped computer because he wanted the protection provided by BitLocker; he had no idea Microsoft could and would nullify that protection when asked to do so by law enforcement.

In a sense, what Microsoft is doing in our hypothetical is consenting to the search of Doe’s computer. Doe says “no” to the officers, Microsoft says “go ahead.” If we think of the hypothetical BitLocker backdoor as a type of consent, and if we analogize Microsoft to a bailor, then the consent would not be valid for 4th amendment purposes. There’s a federal case from the 8th Circuit Court of Appeals, United States v. James, 353 F.3d 606 (2003), in which James left disks in a sealed envelope with a friend. Federal agents asked the friend to open the envelope so they could search the disks, and the friend did. The Eighth Circuit held that this violated the 4th amendment because while the friend had lawful custody of the disks, he did not have the constitutional authority to consent to the opening of the package and to the search of the disks. Seems to me Doe could make a similar argument as to the hypothetical backdoor in Vista.

All of this will probably never come up for BitLocker, since Microsoft vehemently denies putting a backdoor in Vista (and I tend to believe them). But that does not mean law will never have to confront the problem of backdoors.

In the first scenario, the security container manufacturer acts just like the phone company when the phone company helps law enforcement execute a warrant to tap into telephone calls. As I noted in the post, courts have said this is okay, because the telephone company, or, here, the security container manufacturer, is clearly acting as an agent of the state but that's okay because the government has a warrant. The warrant applies to both.

The second scenario would come up if the security container manufacturer had kept what was, in essence, a backdoor to the safe for the purpose of assisting law enforcement with searches of safes that are designed to obtain criminal evidence. If the security container manufacturer did that, then we'd have the same scenario as above, i.e., there'd be a basis for arguing that the company acted as an agent of the state when it sold the product with the backdoor, etc.

The argument would become more complex if there were some other, neutral reason why the company kept the backdoor.

So in the BitLocker scenario, Microsoft could say a backdoor exists to assist a customer that forgot or lost their access code, and then it would only use it in a law enforcement action when compelled to by the court.

That would seem to be analogous to the telephone company scenario, i.e., the premise being that technology or some unique expertise on the part of a civilian entity can be "borrowed" by law enforcement for the purposes of executing a search warrant.

BitLocker's or Vista's EULA probably dismisses Microsoft of any responsibility for John's data security. This would probably be enough to let them implement a back door, since that releases Microsoft the responsibility of a bailor.

But this is why I use Linux and such. It's much more difficult to hide secrets like that. I plan to use encryption soon, just because I'm paranoid.

This whole discussion is based on the assumption that Microsoft, in cooperation with law-enforcement, would respect constitutionally protected rights. However, experience has shown of late that the government does not in any way respect those rights. Simply look at all the illegal wiretapping of Americans as evidence. Indefinite detention of prisoners without trial...etc, etc.

What more evidence do you need that such capabilities built within a closed system, away from public scrutiny, is not only possible but plausible?

I don't think it has a back door, but I think that you are overlooking something important by assuming that the primary purpose is evidence. Most of the goverments marginal actions now are centered around investigation, not evidence collection. If they take your disk and through an illegal backdoor they see that you committed a certain crime on a certain date, they can use that to know exactly where to look for things they can use as evidence. I imagine that they would even return your drive to you indicating that they couldn't read anything. Don't you imagine that the No Such Agency does that all the time so they don't take chances on having to reveal techniques, etc.